
The FTC Safeguards Rule for Auto Dealerships, in Plain English
If your dealership arranges financing or leasing, federal law treats you like a financial institution — and expects you to protect customer data like one. Here's what the FTC Safeguards Rule actually requires.
Most dealership owners didn't get into the car business to become regulated financial institutions. But if your store arranges financing or leasing — and nearly every dealership does — that is exactly how federal law sees you, and the FTC's Safeguards Rule applies to you.
The rule is not new, but enforcement attention keeps growing, and the FTC has published dealer-specific guidance spelling out expectations. Here is what it requires, translated out of regulation-speak.
Why dealerships are covered
Customer credit applications flow through your store: Social Security numbers, income, addresses, banking details. Because you collect that information to arrange financing, the Gramm-Leach-Bliley Act classifies you as a "financial institution," and the Safeguards Rule is the FTC's set of rules for how financial institutions must protect customer information.
What the rule actually requires
The core requirement is a written information security program with several specific elements. In plain terms:
Someone has to own it. You must designate a "Qualified Individual" to oversee your security program. Notably, the FTC explicitly allows this person to work for a service provider — like a managed IT partner — rather than being on your payroll. But the responsibility for compliance stays with the dealership either way.
A written risk assessment. Not a gut feeling — a documented assessment of where customer information lives in your business and what could go wrong with it.
Multi-factor authentication. The rule requires MFA (or something "reasonably equivalent") for anyone accessing systems that hold customer information — 16 C.F.R. § 314.4(c)(5). And the FTC has made clear this extends to service providers: if your DMS vendor or any third party has direct access to your network, they need MFA too.
Monitoring — continuous or scheduled. You must either continuously monitor your systems, or run annual penetration testing plus vulnerability assessments at least every six months. Pick one; "neither" is not an option.
Training. Security awareness training for your staff, because the finance office is a prime phishing target.
Oversight of your vendors. You are expected to choose service providers capable of protecting customer data and to hold them to it in your contracts.
A written incident response plan. When something happens — a compromised email account, a ransomware event — the rule expects you to already have a written playbook for responding and recovering.
An annual report to ownership. The Qualified Individual must report in writing, at least annually, to your board or ownership on the state of the program.
The breach-reporting clock
Since 2024, there is also a federal notification requirement: if a security breach involves the unencrypted information of 500 or more consumers, you must notify the FTC within 30 days of discovery. That is in addition to state law — Wisconsin businesses, for example, also have their own 45-day customer notification statute.
Note the word unencrypted. Encryption is not just a technical nicety — it is the difference between a reportable event and a non-event.
Where dealerships commonly fall short
Based on what the rule demands, the gaps we most often see dealers wrestling with are the unglamorous ones: MFA that covers office staff but not the DMS vendor's remote access; a risk assessment that was written once and never revisited; an incident response "plan" that exists mainly in one manager's head; and no one formally named as the Qualified Individual.
None of these are expensive to fix. All of them are expensive to explain after a breach.
The takeaway
The Safeguards Rule is really a checklist for running a dealership that criminals can't casually rob through an inbox. Most of it is security you would want anyway; the rule just makes it mandatory and auditable.
Coulee Tech works with auto dealerships on exactly this stack — from compliance management to serving as the day-to-day security arm behind a dealership's Qualified Individual. If you are not sure which of the requirements above you could show an auditor tomorrow, that is the place to start.
This article is a plain-English overview, not legal advice — for compliance decisions, involve your attorney.


